PRIVACY POLICY

AI Tutor Ecosystem

Last Updated: March 3, 2026

This Privacy Policy (“Policy”) describes how Expandel processes Personal Data in connection with access to and use of the AI Tutor Platform, its websites, applications, integrations, institutional environments, support channels, and related services.

This Policy must be read together with the Terms of Use, institutional agreements, DPA, and any other specific instruments that may apply.

1. Who We Are

AI Tutor is operated, depending on the applicable territory and contracting structure, by:

EXPANDEL TECNOLOGIA LTDA, registered in Brazil under CNPJ No. 22.724.566/0001-07, with registered address at R. Francisco Rocha, 198 – Batel, Curitiba – PR, 80420-130, Brazil, for users and Institutional Customers located in Brazil (“Brazil Operations”); and/or

EXPANDEL LLC, registered under EIN No. 35-2900120, with mailing address at 7345 W Sand Lake Rd Ste 210 Office 2098, Orlando, FL 32819, United States, for users and Institutional Customers located outside Brazil (“Global Operations”).

For the purposes of this Policy, such entities may act as controllers, joint controllers, or processors, depending on the specific circumstances and applicable law.

2. Scope

This Policy applies to the processing of Personal Data when you:

I. access or use the Platform;

II. create an Account or authenticate through third parties;

III. subscribe to a plan or receive institutional access;

IV. contact support, customer service, sales, or legal teams;

V. participate in demonstrations, tests, trials, onboarding, or training;

VI. browse our websites or digital environments related to AI Tutor;

VII. enable integrations with third-party services, including, without limitation, Google Classroom, Google Drive, Google Calendar, Google Workspace, Microsoft 365, Microsoft Graph, or equivalent services.

3. Categories of Data Processed

Depending on the context, we may process:

3.1. Registration and identification data
Name, email, phone number, job title, institution, internal identifiers, access profile, country, language, billing data, and related information.

3.2. Authentication data
Credentials, tokens, federated login data, session data, access history, approximate IP, device identifiers, and related logs.

3.3. Content submitted to the Platform
Prompts, files, texts, answers, questions, documents, parameters, comments, messages, Inputs, and other materials entered by Users or Institutional Customers.

3.4. Usage and telemetry data
Navigation records, clicks, events, logs, technical metadata, feature consumption, performance metrics, errors, crashes, timestamps, and usage indicators.

3.5. Support and relationship data
Messages sent to support, requests, complaints, feedback, tickets, recordings, or service records, where applicable.

3.6. Financial and commercial data
Contracting information, plans, billing history, invoices, receipts, payment status, and data necessary for commercial management, without prejudice to processing by payment intermediaries.

3.7. Data originating from integrations and access scopes
Information obtained from integrations and permissions granted by the User or Institutional Customer with third-party providers, including data derived from OAuth scopes, APIs, federated authentication resources, integration metadata, account identifiers, class lists, files, calendars, administrative permissions, and other data strictly necessary for enabled features.

4. Purposes of Processing

We may process Personal Data to:

I. enable registration, authentication, and secure access to the Platform;

II. provide, operate, maintain, personalize, and improve the Services;

III. perform contracts, proposals, trials, orders, renewals, and billing;

IV. provide support, customer service, onboarding, operational communication, and training;

V. prevent fraud, abuse, security incidents, misuse, and contractual violations;

VI. comply with legal, regulatory, tax, accounting, and administrative obligations;

VII. exercise rights in judicial, administrative, or arbitral proceedings;

VIII. generate metrics, statistics, telemetry, and operational intelligence;

IX. maintain logs, trails, traceability, and internal controls;

X. respond to requests from data subjects, authorities, and legitimate partners;

XI. send institutional, operational, and, where permitted, commercial communications;

XII. enable, operate, and maintain integrations with third-party providers, including Google and Microsoft, subject to the scopes and permissions actually granted.

5. Legal Bases

Where Brazilian law applies, processing may be based on, as applicable:

I. performance of a contract or preliminary procedures related to a contract;

II. compliance with legal or regulatory obligations;

III. regular exercise of rights in judicial, administrative, or arbitral proceedings;

IV. legitimate interest, subject to the rights and freedoms of the data subject;

V. credit protection;

VI. consent, where necessary or adopted as an appropriate legal basis.

Where other jurisdictions apply, processing shall observe equivalent legal bases provided by the relevant legislation.

6. Data Sharing

We may share Personal Data, to the extent necessary and appropriate, with:

I. cloud, hosting, and infrastructure providers;

II. authentication and identity management providers;

III. payment processors, billing systems, ERP, and tax issuance providers;

IV. monitoring, support, analytics, messaging, and security providers;

V. consultants, auditors, lawyers, and specialized service providers subject to confidentiality obligations;

VI. public, regulatory, judicial, or administrative authorities, when required by law or valid order;

VII. companies within the same economic group or business successors in the context of corporate reorganization, merger, acquisition, incorporation, or asset transfer;

VIII. integrated providers and subprocessors required for enabled integrations, subject to granted permissions and the purpose of processing.

7. International Data Transfers

7.1. AI Tutor may use infrastructure, systems, service providers, and operational flows located in more than one country.

7.2. As a result, Personal Data may be transferred internationally for hosting, authentication, support, security, monitoring, backup, provision of the Services, contractual performance, and operation of integrations with third-party providers.

7.3. Whenever applicable, Expandel shall adopt appropriate legal mechanisms for international data transfers, including standard contractual clauses, adequacy decisions, equivalent instruments, or other mechanisms recognized by applicable law.

8. Roles of Controller and Processor

8.1. In some situations, Expandel will act as controller, especially in relation to:

I. management of its own registration database;

II. Platform security;

III. fraud prevention;

IV. operational metrics;

V. billing and collections;

VI. legal compliance;

VII. commercial relationship management.

8.2. In institutional contracting scenarios, Expandel may act as processor on behalf of the Institutional Customer when the latter defines the purposes and essential means of processing Personal Data inserted into the Platform.

8.3. In such cases, processing shall also observe the DPA and any applicable documented instructions.

9. Children and Adolescents

9.1. The Platform may be used in educational contexts. Where data of children or adolescents is processed, Expandel expects that the Institutional Customer or legal guardian has an appropriate legal basis, governance mechanisms, and measures compatible with applicable law.

9.2. We strongly recommend the adoption of minimization, access control, profile-based segregation, and periodic review of permissions in environments involving minors.

10. Information Security

10.1. We adopt reasonable technical, administrative, and organizational measures to protect Personal Data against unauthorized access, destruction, loss, alteration, communication, or improper disclosure.

10.2. Such measures may include, where applicable, access control, reinforced authentication, logs, encryption in transit, encryption at rest, backups, logical segregation, monitoring, and incident management.

10.3. No environment is fully invulnerable. Therefore, we also recommend that Users and Institutional Customers adopt their own security controls, including secure credential management, permission segregation, and review of content inserted into the Platform.

11. Use of Data Originating from Google and Microsoft APIs and Integrations

11.1. Where the User or Institutional Customer authorizes access scopes and permissions with providers such as Google and Microsoft, Expandel shall process the obtained data only to the extent necessary to provide the enabled and requested functionalities.

11.2. Expandel shall observe, where applicable, the integrated providers’ policies relating to consent screens, limited use of data, verification of sensitive or restricted scopes, security, and transparency.

11.3. Expandel shall not sell data obtained through integrated providers’ APIs nor use such data for personalized advertising based on that data.

11.4. Human access to data originating from such integrations shall occur only when necessary for requested support, legal compliance, maintenance of security, fraud prevention, or investigation of technical incidents, always subject to access controls and confidentiality.

12. Retention and Deletion

12.1. Personal Data shall be retained for as long as necessary for:

I. provision of the Services;

II. contractual compliance;

III. compliance with legal, regulatory, tax, and accounting obligations;

IV. fraud prevention and security;

V. regular exercise of rights.

12.2. After the end of the purpose or contractual relationship, data may be deleted, anonymized, or kept blocked, depending on the nature of the data, legal retention periods, and applicable legitimate interests.

13. Data Subject Rights

Under applicable law, the data subject may request, where applicable:

I. confirmation of the existence of processing;

II. access to the data;

III. correction of incomplete, inaccurate, or outdated data;

IV. anonymization, blocking, or deletion of unnecessary data or data processed in violation of the law;

V. portability, where applicable;

VI. information on sharing;

VII. withdrawal of consent, where consent is the legal basis;

VIII. objection to processing, where applicable.

Requests may be submitted through the channel indicated in Section 17, and reasonable identity and legitimacy verification elements may be required.

14. Cookies and Similar Technologies

14.1. We may use cookies, pixels, local storage, SDKs, and similar technologies for authentication, security, technical operation, performance, preferences, and analytics.

14.2. The User may manage preferences through browser or device settings or mechanisms made available on the Platform, acknowledging that disabling certain features may affect essential functionalities.

15. Communication and Marketing

15.1. Expandel may send transactional, technical, operational, contractual, and security communications related to the Services.

15.2. Promotional or institutional communications of a non-essential nature shall observe applicable law and any available opt-out mechanisms.

16. Changes to this Policy

16.1. This Policy may be updated to reflect legal, regulatory, operational, contractual, or technological changes.

16.2. The update date shall always be indicated in the header of the document.

17. Privacy Contact

Requests relating to Personal Data, exercise of rights, and questions about this Policy may be directed to:

Privacy / Personal Data: [email protected]

General Support: [email protected]

If a formal data protection officer is appointed, their details may be disclosed through an official Platform channel or in a specific instrument.